Bug 12574

Summary: zabbix new security issues CVE-2014-1685, CVE-2014-1682, and CVE-2013-5572
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ennael1, mitya, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/588437/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
Source RPM: zabbix-2.0.10-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-02-04 15:11:38 CET 
Upstream has released 2.2.2rc1 on February 3, fixing two security issues:
http://www.zabbix.com/rn2.2.2rc1.php

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-04 15:12:06 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-12 16:11:06 CET 
Zabbix 2.2.2 final is out, also fixing one more security issue:
http://www.zabbix.com/rn2.2.2.php

Summary: zabbix new security issues CVE-2014-1682 and CVE-2013-5572 => zabbix new security issues CVE-2014-1685, CVE-2014-1682, and CVE-2013-5572

Comment 2 David Walser 2014-02-24 18:18:34 CET 
The issues are also fixed in 2.0.11.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated zabbix packages fix security vulnerabilities:

Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP
bind password by leveraging management-console access and reading the
ldap_bind_password value in the HTML source code (CVE-2013-5572).

Zabbix before 2.0.11 allows switching users without proper credentials when
using HTTP authentication (CVE-2014-1682).

In Zabbix before 2.0.11, the admin user is able to update media for other
users (CVE-2014-1685).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1685
https://support.zabbix.com/browse/ZBX-6721
https://support.zabbix.com/browse/ZBX-7693
https://support.zabbix.com/browse/ZBX-7703
http://www.zabbix.com/rn2.0.11.php
========================

Updated packages in core/updates_testing:
========================
zabbix-server-2.0.11-1.mga3
zabbix-server-mysql-2.0.11-1.mga3
zabbix-server-pgsql-2.0.11-1.mga3
zabbix-server-sqlite-2.0.11-1.mga3
zabbix-proxy-2.0.11-1.mga3
zabbix-proxy-mysql-2.0.11-1.mga3
zabbix-proxy-pgsql-2.0.11-1.mga3
zabbix-proxy-sqlite-2.0.11-1.mga3
zabbix-java-2.0.11-1.mga3
zabbix-agent-2.0.11-1.mga3
zabbix-web-2.0.11-1.mga3
zabbix-server-2.0.11-1.mga4
zabbix-server-mysql-2.0.11-1.mga4
zabbix-server-pgsql-2.0.11-1.mga4
zabbix-server-sqlite-2.0.11-1.mga4
zabbix-proxy-2.0.11-1.mga4
zabbix-proxy-mysql-2.0.11-1.mga4
zabbix-proxy-pgsql-2.0.11-1.mga4
zabbix-proxy-sqlite-2.0.11-1.mga4
zabbix-java-2.0.11-1.mga4
zabbix-agent-2.0.11-1.mga4
zabbix-web-2.0.11-1.mga4

from SRPMS:
zabbix-2.0.11-1.mga3.src.rpm
zabbix-2.0.11-1.mga4.src.rpm

CC: (none) => mitya
Version: Cauldron => 4
Assignee: mitya => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-02-25 09:07:10 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11868#c7 onwards

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Anne Nicolas 2014-02-25 11:07:48 CET 
Tested on Mageia 4 64

After install, created a mysql database zabbix.

Set these details in /etc/zabbix/zabbix_server.conf.

Imported the database schema, images and data..

# cd /usr/share/zabbix/schema/database/mysql

# mysql zabbix < schema.sql 
Enter password:
# mysql zabbix < images.sql 
Enter password: 
# mysql zabbix < data.sql 
Enter password: 

Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix.

works all ok here

CC: (none) => ennael1
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 5 Anne Nicolas 2014-02-25 11:15:49 CET 
Tested on Mageia 4 32

After install, created a mysql database zabbix.

Set these details in /etc/zabbix/zabbix_server.conf.

Imported the database schema, images and data..

# cd /usr/share/zabbix/schema/database/mysql

# mysql zabbix < schema.sql 
Enter password:
# mysql zabbix < images.sql 
Enter password: 
# mysql zabbix < data.sql 
Enter password: 

Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix.

works all ok here

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 6 claire robinson 2014-02-25 12:48:42 CET 
Depending on your sql configuration you might need -u <database user> and -p in the mysql commands. The -p makes it ask for a password, it doesn't take the next word to be the password.

eg. With database name,database user & database password of zabbix

mysql -u zabbix -p zabbix < schema.sql
Enter password:<enter zabbix>
Comment 7 claire robinson 2014-02-25 12:49:01 CET 
Testing mga3 32 & 64 now
Comment 8 claire robinson 2014-02-25 13:08:11 CET 
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok

Comment 9 claire robinson 2014-02-25 13:35:27 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-02-25 23:19:49 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0095.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-02-26 18:14:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/588437/